Scanning Images with Trivy.
Introduction
Trivy is an open-source security scanner that detects vulnerabilities in container images, file systems, and Git repositories. It identifies security issues in both operating system packages and application dependencies within the container. By using a regularly updated vulnerability database, Trivy helps ensure that containers are secure and compliant with security best practices.
Commands
Trivy commands specifically related to image scanning that are useful for the CKS exam:
Basic Image Scan
Scans a specified container image for vulnerabilities.
Output and Formatting
- Output in JSON Format:
Scans the image and outputs the results in JSON format to a file.
- Output in Table Format:
Scans the image and outputs the results in a table format (default format).
Severity Filtering
- Filter by Severity:
Scans the image and reports only high and critical severity vulnerabilities.
Cache Management
- Clear Cache:
Clears the local cache used by Trivy before scanning the image.
Ignoring Specific Vulnerabilities
- Ignore Specific Vulnerabilities:
Uses a .trivyignore file to specify vulnerabilities to ignore during scanning.
Advanced Options
- Timeout Setting:
Sets a timeout for the scanning process.
- Ignore Unfixed Vulnerabilities:
Ignores vulnerabilities that do not have a fix yet.
- Skip Update:
Skips updating the vulnerability database before scanning.
Comprehensive Scan with All Details
trivy image --severity HIGH,CRITICAL --ignore-unfixed --skip-update -f json -o results.json <image_name>
A comprehensive scan that filters by severity, ignores unfixed vulnerabilities, skips database update, and outputs results in JSON format to a file.
These commands allow you to perform detailed and customizable scans on container images, ensuring you can identify and manage vulnerabilities.